Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.

Before moving systems into production, grab a copy of Jesse Kornblum'sMD5Deep from http://md5deep.sourceforce.net and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.

"Rob Lee's enthusiasm method of delivery made the class excellent and a great environment to learn. He knows his stuff, without a doubt."- Tim Moniot, Las Vegas Metro P.D.

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."- Brad Garnett, Gibson County Sherrif's Dept.